Briefings on Accreditation and Quality, May 1, 2018

Earlier this year there was some confusion over CMS’ texting policies. The agency later confirmed that providers are allowed to text patient health information (PHI) using a secure messaging app. However, texting medical orders is still forbidden.

Chris Apgar, CISSP, is president and CEO of Apgar & Associates and former HIPAA compliance officer for Providence Health Plans. He spoke with BOAQ about texting policies and compliance. The following Q&A has been lightly edited for clarity.

Q: What are the minimum requirements for a secure healthcare texting platform?

Apgar: The minimum requirements would be in accordance with the National Institute for Standards and Technology. And that would be a level of encryption of 128 bits, so really what you’re looking for in a secure texting platform is something that at a minimum has a 128-bit encryption.

If you look at it encrypted at that level, it becomes a safe harbor, so even if someone intercepts the text message it’s not a breach of PHI.

*MAGNET™, MAGNET RECOGNITION PROGRAM®, and ANCC MAGNET RECOGNITION® are trademarks of the American Nurses Credentialing Center (ANCC). The products and services of HCPro are neither sponsored nor endorsed by the ANCC. The acronym "MRP" is not a trademark of HCPro or its parent company.